Software supply chain puts businesses at risk

Attacks that exploit third party applications pose unique challenges.

human weak link cybersecurity primary
Thinkstock

What a time to be in cyber security! The high-profile breaches just keep rolling in - Equifax, SEC, Deloitte. It’s the new normal. Are we becoming desensitized to it all? Every breach seems to follow the same script – it was someone else’s fault, only a few people were really affected, and it’s not really so bad. Public Relations goes into overdrive. Within days of the breach, more and more evidence surfaces that reveals the only real surprise is why it took so long.

Investors, on the other hand, have not become desensitized, because Executive Heads are rolling. Business leaders are finally recognizing that there’s a new reality in 2017: If you don’t have control of your security posture, you don’t have control of your business. This is also reflected in short term share prices after a breach.

CCleaner breach

While the Equifax, SEC and Deloitte breaches received the most news coverage, the incident that really caught my eye was CCleaner. Early reports claimed that Cisco’s Talos researchers discovered Avast’s CCleaner software servers were compromised and used to distribute malware integrated into the CCleaner application, which is used to purge a PC’s temporary files, registry keys, cookies and other digital clutter.

With over 2 billion downloads, CCleaner has a huge installed base. According to reports, 2.27 million users were affected by the hack. Avast Piriform, the Avast subsidiary that develops CCleaner, stated the malware was disarmed before it did any harm.

A few days later, Ars Technica reported that the impact of the breach was worse than first feared. Security researchers established that 20 high profile technology companies were directly targeted using the backdoored application. This evidence was gathered from data found on one of the command and control servers used by the threat actor. The malware had been active for at least 31 days and infected 700,000 systems. Cisco, VMware, Sony, Linksys, Microsoft, Akamai and Gmail, among others, were all targeted to receive a second stage injection.

Commercial hacking by nation states on the rise

Kaspersky Lab has associated some components of the code with APT 17 and Group 72, two threat actor groups with alleged ties to China. This is especially interesting, as China has signed agreements over the past two years with several nations to limit commercial hacking.

This is the third incident identified in the past two months that has targeted third party software products. Ukrainian company MeDoc was similarly breached earlier this year and used to deliver the Petya ransomware. NetSarang, a network management technology vendor used by over 100 banks, was also targeted to deliver a backdoor.

The insidious thing about these type of attacks is that threat actors are exploiting the implicit trust users have in the software delivery and update mechanism of third party technology vendors. The software is legitimately signed using a trust digital signing certificate.

Supply chain attacks cast a wider net

We will see an increase in threat actors targeting the supply chain. Attackers will continue to seek out the weakest link as it increases their chance of successfully breaching the most hardened targets.

The implications for security professionals are sobering. No matter how much they invest in security or how effective their prevention, detection and response capabilities are, they will still risk being exposed by association. The threat actors don’t have to defeat a company's security measures, they only have to compromise a third party supplier that it works with or relies on.

This will become especially acute as some organizations become more and more adept at security. As the security of their own infrastructure increases, it will still become more challenging for them to defend against attacks, as these attacks will originate from environments and via vectors that they have little or no control over.

There has already been an increase in the number of large companies requiring and enforcing minimum security standards on suppliers and partners. Some enterprises have also implemented policies and strategies such as network segmentation, which restricts and monitors “untrusted” traffic from third party providers and suppliers to limit the impact of an indirect breach.

This trend will grow and have a greater commercial impact as well, with smaller vendors and providers suffering from a higher barrier of entry to do business with larger and/or more security conscious organizations.

Traditional defences are insufficient

What made the CCleaner incident most concerning was that many security approaches would not have prevented the malware from gaining a foothold in targeted organizations. The real danger is based on the fact that even though the attack vector was a third party vendor’s infrastructure, the actual targets were its end users.

In the case of CCleaner, this application is a free offering, often installed by end users themselves. At that point, the only effective protection mechanism would have been a sophisticated endpoint security tool or if the system had been locked down without administrative rights.

In scenarios where users were permitted to access the corporate network with a personal device, even if only by remote access, the only semi-effective measure would have been to restrict them to a low risk segment. The only truly effective approach would have been large scale security monitoring conducted using behavioral analysis.

Exploiting third party software platforms effectively increases the ROI of an attack, reaching a far greater volume of victims than direct targeting ever could. Meanwhile, exploiting the implicit trust relationships between providers and their user base greatly reduces the barriers to successful exploitation as it bypasses conventional security measures. Given these advantages, we can expect these types of attacks will only increase as we go forward, adding yet another layer to the onion of the already complex cyber security challenge.

This article is published as part of the IDG Contributor Network. Want to Join?

SUBSCRIBE! Get the best of CSO delivered to your email inbox.